Blog

Hello Reader, Tonight I changed the course of our testing in a slight detour, ok maybe a hard right, over to Windows 10 because I remembered an artifact that has been bugging me. The UserAssist artifact that has been a friend of mine since 2002 (I wrote about it in 2004 in the first hacking exposed computer forensics) seems to have had a change in behavior starting in Windows 8. Suddenly we had values showing up in the UserAssist with a run count of 0 and no last execution time. So to remedy this I decided to start some testing and here is what we learned:

Running a Modern app will update the run count and the execution time

Running a desktop app will update the run count and the execution time

The focus count is still unreliable

The focus time is still unreliable

Rebooting does not zero out the values in the UserAssist keys

Some entries in the UserAssist CEBFF guid specifically appear to not get updated as other versions of the same program do (process hacker in this example)

Some things don’t get updated run counts or execution times, so far Microsoft Edge and Cortana appear to behave that way

More testing is needed so we can determine what is effecting the expected behavior.